A campaign has been found to be targeting routers with leaked National Security Agency (NSA) tools and their associated vulnerabilities, according to Akamai researchers. Threat actors are using EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) exploits to target machines that are running “Windows SMB” and “Linux Samba” clients, specifically on ports 145 and 449. The actors behind this campaign are targeting machines and routers, and researchers believe that at least 45,000 routers have been targeted and the amount of vulnerable machines is estimated to be approximately 1.7 million. The affected routers are those that run vulnerable implementations of Universal Plug and Play (UPnP) implementations.

Recommendation: Akamai researchers provide a list of affected devices that can be viewed here: “https://www.akamai.com/cn/zh/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf”. This campaign targets numerous device models and manufacturers and shows the importance of implementing patches as soon as possible to avoid potential malicious behaviour regarding exploits that have available tools associated with them. Every internet-facing device should be viewed as security liability and should be properly maintained.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.